v2.4 — 22-phase methodology, now hosted

Autonomous AI pentesting,
on demand.

Xalgorix runs reconnaissance, injection, IDOR, SSRF, RCE, and 18 other offensive phases against your target — then ships a verified, evidence-backed report.

Start scanning free →See the 22 phases

5 free scans · no card required

~ xalgorix scan #4f2a · target: app.acme.com

running phase 8/22

[01]reconnaissance✓ 47 subdomains, 12 origins

[04]cors & cookies! permissive CORS w/ credentials

[06]injection! blind SQLi confirmed (5012ms delta)

[08]idor! /api/invoices/:id leaks all tenants

[20]exploit verification… chaining sqli → admin token_

criticalIDOR allows reading any user's invoicesCVSS 9.1

features

Everything you need for autonomous security testing.

From live scan telemetry to branded PDF reports — Xalgorix handles the full engagement lifecycle, hosted on our infrastructure.

Hosted Web Dashboard

No installs, no Go toolchain, no LLM keys. Sign in and launch your first scan in 60 seconds.

Live Scan Telemetry

WebSocket event stream: tool calls, agent messages, HTTP activity, phase progress — all in real time.

22-Phase Methodology

Run the full sweep or focus on recon, injection, auth, API, upload, cloud, or WebSocket phases.

Verified Findings

Every finding is exploit-verified before it lands in your report. Less noise, more signal.

Branded PDF Reports

Executive summary, severity breakdown, PoC, remediation steps — with your company logo.

Scan Modes

Single target, wildcard / multi-target, or browser-driven DAST. Credit-based, no surprise bills.

Schedules & Automation

Recurring scans on cron-style schedules. Continuous coverage of your attack surface.

Team & Sharing

Share findings and reports with stakeholders via signed links. No login needed for read-only views.

REST API

Programmatic scan creation, status, and report retrieval. Wire Xalgorix into your CI/CD.

Rate Limits & Safety

Configurable request rates, circuit breakers, and blocked destructive commands protect your infra.

Scan Persistence

Resume interrupted scans. Multi-target queues process sequentially with full state recovery.

Multi-LLM Backend

We run on top frontier models — GPT-5, Claude, Gemini. You don't manage providers or keys.

methodology

22 phases. Every engagement.

Pick the full sweep or focus on a single phase. Every finding is exploit-verified before it lands in your report.

phase 01

Reconnaissance

phase 02

Manual vulnerability discovery

phase 03

Directory and file discovery

phase 04

CORS and cookie analysis

phase 05

Authentication and session testing

phase 06

Injection testing

phase 07

SSRF testing

phase 08

IDOR and broken access control

phase 09

API and GraphQL testing

phase 10

File upload testing

phase 11

Deserialization and RCE

phase 12

Race conditions and business logic

phase 13

Subdomain takeover

phase 14

Open redirect testing

phase 15

Email security testing

phase 16

Cloud and infrastructure

phase 17

WebSocket testing

phase 18

CMS-specific testing

phase 19

Broken link hijacking and content spoofing

phase 20

Exploit verification

phase 21

Zero-day discovery

phase 22

Final report

workflow

From signup to report in 7 steps.

Zero to scanning in under 60 seconds. We handle the infrastructure, methodology execution, and report generation.

Sign up

Create an account. 5 free scan credits, no card required.

Add target

Paste a URL, hostname, or wildcard. We validate scope on submit.

Pick mode

Single, wildcard, or DAST. Choose all 22 phases or a focused subset.

Launch

Scan kicks off instantly on our infrastructure. No queue, no waiting.

Monitor live

Watch tool calls, agent messages, and phase progress stream in real time.

Review findings

Verified findings with severity, evidence, CVSS, and remediation guidance.

Share report

Download a branded PDF or share a signed link with your team.

scan modes

Three ways to engage.

Single target

One URL or host. Fastest path to actionable findings.

Best for: known URLs, quick assessments

1 credit

Wildcard / multi

Enumerate attack surface, then scan everything discovered.

Best for: bug bounty, surface discovery

1 credit / scan

DAST

Browser-driven testing for auth flows, forms, and runtime behavior.

Best for: web apps, auth flows, forms

3 credits

the xalgorix suite

More tools from Xalgorix.

A growing family of offensive-security products. Built by the same team, sharing the same methodology.

BountyLabs

live

Hands-on labs and CTF-style environments to sharpen your bug-bounty edge.

Visit site →

HuntFlow

coming soon

Workflow automation for bug-bounty hunters — recon, triage, and reporting in one pipeline.

not ready yet

BugReportly

coming soon

Beautiful, structured bug reports that program managers actually want to read.

not ready yet

live observability

Watch every scan in real time.

WebSocket-powered event stream surfaces tool invocations, agent reasoning, findings, HTTP activity, LLM token usage, and phase transitions — the second they happen.

147: Tool Calls
12: Findings
48.2k: LLM Tokens
2,341: HTTP Requests

live feed — scan:a3f8c2connected

00:12:34[TOOL]nuclei -t cves/ -u https://target.com

00:14:02[FIND]Critical: SQL Injection on /api/search

00:14:15[AGENT]Analyzing response patterns for auth bypass...

00:14:22[HTTP]POST /api/login → 200 (342ms)

00:14:30[LLM]openai/gpt-5.4 → 2,847 tokens

00:15:01[PHASE]Phase 6/22: Injection Testing — started

00:16:45[FIND]High: IDOR on /api/users/{id}

00:17:12[ERR]Tool timeout: sqlmap (30s, retrying)

findings & reports

From scan output to report-ready findings.

Centralized findings with severity filters, CVSS details, evidence, and branded PDF report generation.

Critical

High

Medium

Low

Critical · CVSS 9.8XAL-2026-001

SQL Injection in Search Parameter

https://target.com/api/search

Unauthenticated SQL injection via the 'q' parameter allows arbitrary database queries.

High · CVSS 7.5XAL-2026-002

IDOR on User Profile Endpoint

https://target.com/api/users/{id}

Authenticated users can access any user profile by modifying the ID parameter.

Medium · CVSS 5.3XAL-2026-003

Missing Rate Limiting on Login

https://target.com/login

No rate limiting on authentication endpoint allows brute-force attempts.

pricing

Simple. Credit-based.

Full pricing →

free

$0/mo

5 scan credits · 1 concurrent

starter

$20/mo

50 scan credits · 2 concurrent

popular

pro

$49/mo

200 scan credits · 5 concurrent

team

$199/mo

1000 scan credits · 8 concurrent

hosted vs self-hosted

Two ways to run Xalgorix.

The engine is open source. This site is the hosted version — same methodology, zero setup. Or grab the CLI and run it on your own infrastructure.

Capability

Hosted (this app)

Self-hosted CLI

Hosted infrastructure

✓

—

Zero install / setup

✓

—

Managed LLM (no API keys)

✓

—

Live WebSocket telemetry

✓

22-phase methodology

✓

Verified findings + PDF reports

✓

REST API & scheduled scans

✓

—

Team sharing & signed links

✓

—

Runs on your own machine

—

✓

Open source (MIT)

—

✓

Prefer self-hosted? Get the open-source CLI on GitHub →

faq

Common questions.

Do I need to install anything?+

No. Xalgorix is fully hosted. Sign in, paste a target, click scan. The open-source CLI is available separately at github.com/xalgord/xalgorix if you'd rather run it locally.

How long does a scan take?+

Single-target scans typically finish in 10–30 minutes. Wildcard and DAST scans depend on attack surface and can run for several hours. You'll see live progress the whole time.

Are findings actually exploit-verified?+

Yes. Phase 20 is dedicated to exploit verification — findings that can't be reproduced don't reach your report. You get evidence, not noise.

Can I use this for bug bounty?+

Yes, on programs where you have authorization and the scope permits automated testing. Respect every program's rules of engagement.

What about authorization?+

Only scan systems you own or have explicit written permission to test. We log every scan and require you to confirm authorization on each target.

Which LLMs power the agents?+

We route across frontier models — GPT-5, Claude, Gemini — picking the best fit per phase. You don't manage providers, keys, or rate limits.

How does pricing work?+

Credit-based. Single = 1 credit, DAST = 3, Wildcard = 1 credit per live subdomain (recon and dead hosts are free). Subscriptions include monthly credits; top-up packs are available. See the pricing page for details.

Is there an API?+

Yes. Create scans, poll status, fetch findings, and pull reports programmatically. Generate API keys from your dashboard settings.

Ship safer. Faster.

Spin up your first autonomous engagement in under 60 seconds.

Start free →

Autonomous AI pentesting,on demand.